SAML Authentication Rest Endpoint for BOE on Tomcat

This document summarizes the planned enhancements in the next SAP BI 4.2 Support Package 5 for New Fiori BI Launchpad. As the SAP BI 4.2 SP5 content is still subject to change, please consider the below legal disclaimer statement:

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

The SAML REST API can be invoked by any client which mimics the behavior of a web browser for SAML Authentication.

The rest end point for SAML Authentication is (http://host:<port>/biprws/v1/logon/saml), takes no query parameters. It reads the user principal from the HTTP request object and does a trusted authentication for that user principal and returns the serialized token.

To configure SAML for REST end point, follow the procedure below:

1.Configure Trusted Authentication for Rest Webservices on Tomcat with Websession as the option.

2)User Creation on BOE .

The IDP user has to created in BOE or imported through some SDK script or export using CSV option in CMC.The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.

2.Delete the work folder under biprws in <BOE Install Dir>\tomcat\work.

4.Update IDP Metadata

To update the IDP metadata in SP, download the IDP metadata from the respective IDP service providers. Copy the metadata file to <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF and rename it to idp-meta-downloaded.xml . For more details on downloading the IDP metadata, refer Tenant SAML 2.0 Configuration

If BOE is deployed on any Non -Windows machine, the path seperators in filepath to the IDP metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.

i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> .

5).KeyStore Generation

This step is optional applicable only if you want to use your own keystore file.

SAML exchanges involve usage of cryptography for signing and encryption of data. A sample self-signed keystore sampletestKeystore.jks is packaged with the product and is valid till October 18, 2019.sampletestKeystore.jks has an alias name Testkey and password Password1. You can now generate a self-signed keystore file using the JAVA utility keytool. Follow the steps below to generate a keystore file:

Note: SP metadata has to be generated everytime this keystore file is changed.Our sample sp metadata will be working only with our sample keystore certificate.

6)Restart the Tomcat application server.

7)Generate and upload the service provider metadata.

Go to http://host:tomcatport/biprws/v1/logon/saml/saml/metadata. The XML file gets downloaded automatically after navigating to the above URL.Upload the XML file to the identity provider. Upload this in IDP using the relevant IDP’s feature support.

Note

A pre-generated service Provider (SP) metadata file is shipped by default. You can edit and upload the same metadata file. In <BOE Install Dir>\tomcat\webapps\biprws\WEB-INF spring_saml_metadata.xml, replace the XML tags <replace_withip> with the IP address or hostname of the machine depending on your network, and <replace_withport> with the Tomcat port number.

For example for HCP as IDP , Please follow following steps

SP metadata should be uploaded on creation of a SAML application in HCP.

1.Create a new app underapplications

App Creation

2. Upload SP metadata as shown in screenshot.

If you are using SAP Cloud Identity, to create a SAML application in IDP and upload the SP xmlin the IDP for configuring the SAML SSO to BIPlatform, refer Configure a Trusted Service Provider.